Quick viewing(Text Mode)

Ransomware: Your Money Or Your (Life) Files

Ransomware: Your Money Or Your (Life) Files

Generation Four - Here is where turned professional. The began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst avors A Short History Of showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the online currency , these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent by the hour, for your own crime spree ransom, usually in , in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and WHITEPAPER started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 Your Money or Your Life Files would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the to send spam, attack , and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA . In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or . Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., , Netherlands, Germany, , Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the ’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial , so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of "The year 2014 may well go down in the history books as the year that online bookmakers started to show their ugly face in Generation Four. extortion attacks went mainstream.” -Brian Krebs, security journalist Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ whitepaper blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One - Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two - These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

1

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in whitepaper professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this “Cybercrime now specializes in di erent markets (you can call them criminal evolving threat. segments), that taken all together form the full criminal supply-chain.”

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.” The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006: When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. whitepaper the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected “Without advanced malware cleaning skills, a system infected with version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been ransomware is usable only to give in to the blackmailer’s demands to pay.” version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

3

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a whitepaper that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and BOT distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it MASTER C&C customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a BOT few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

4

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the whitepaper country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, BitCoin 101 And Why encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent Criminals Want To Be Paid persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes In Bitcoin anyone without a $10 billion budget. might be pirated software or child pornography, for example. The user would be locked out of the infected that spyware was detected on their computer and which would Money is simply anything that people consider then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them valuable and are willing to exchange for goods Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or and services. Ultimately you could say that essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give money is an “idea backed by condence”. Over from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. the years, this has meant shells, beads, and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to precious metals, pieces of paper and electronic In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received numbers stored in a bank’s data center. Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment sysinternals Windows management tools noted that since he Most money, these days, only exists in rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police electronic form, with the number of zeros and wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi ones regulated by governments to limit the get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian supply and maintain its scarcity and its value. mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the BitCoin operates in a similar fashion, but is a ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and private, not a governmental agency. your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.” Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

5

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began whitepaper is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will BitCoins are created on a xed schedule, then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police currently 12.5 BitCoins about every ten CryptoLocker Copycats eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. minutes, with about 13,000,000 currently in It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. circulation. The ownership of all the BitCoins is true that the internet is highly resilient and will reroute packets whenever any particular node goes down. held in a publicly accessible ledger, called the The same applies to criminal networks. block chain, which is updated several times an CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le hour. People maintain a digital wallet and extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to make payments by transferring BitCoins from As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber one wallet to another. Payments can be made suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a in fractions of BitCoins. GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom Although all the BitCoin transactions are themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now publicly noted, who holds the wallets is kept payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses anonymous. This makes them ideal for that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware criminals. They don’t have to use the botnets out there that are still for lease.” developer’s digital wallet. highly-regulated banking systems, they don’t pay credit card transaction processing fees, and The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an BitCoins aren’t subject to limitations on 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, sending currency internationally. Therefore, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come there is no need to hire mules to transport cash CryptoWall doesn’t store the encryption key where the user can get to it. In across borders. from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on BitCoins, like other electronic activities, are not "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many completely secure. For example, the but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August Tokyo-based Mt. Gox BitCoin exchange, which changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the had been handling about 70% of all using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser transactions, suspended trading in February largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the 2014 and announced that 850,000 BitCoins threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants were missing, probably stolen. And when the percent of prots.” with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo U.S. FBI shut down the Silk Road online black paid $500, but the amounts ranged from $200 to $10,000. market, it seized 144,000 BitCoins. But, at least Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS for now, cybercriminals consider the level of or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses security good enough to make it a superior users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But $100 ne be sent via MoneyPak. way of doing business than working with components of CryptoLocker and CryptoWall but with completely dierent code from these other two government-issued currencies. apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 – This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

6

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected whitepaper the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now % payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other 47 the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet. KnowBe4 study, June 2014 The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come 47% feel email attachments CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- pose the largest threat ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

7

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.” This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. whitepaper spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. 88% The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le 100% extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a 75% % GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked 64 ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware 50% botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 25% KnowBe4 study, June 2014 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- 0% ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many JAN FEB MAR APR MAY JUN but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay Email and spam ltering eectiveness 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the dropped from 88% to 64% using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

8

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will whitepaper that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics 88 will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware KnowBe4 study, June 2014 encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about 88% expect ransomware to What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already increase the rest of the year mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng: This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

9

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the whitepaper continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it 16% which makes them much harder to shut down. 5) Attacks will technically become far more sophisticated and will be able to after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky Very E ective reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics 72% will continue its surge forward in 2014," said Vincent Weafer, senior vice Somewhat 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The E ective decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of KnowBe4 study, June 2014 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be Only 16% feel their current sold globally to other cybercriminals. It uses Bitcoin ransom amounts that solutions are very eective, the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware while 72% feel they are encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat somewhat eective of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

10

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the whitepaper continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it JAN which makes them much harder to shut down. 5) Attacks will technically become far more sophisticated and will be able to after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky % % reported that Koler had been taken down, but didn’t say by whom. 96 59 evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. JUN cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice KnowBe4 study, June 2014 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. Con dence in endpoint security dropped from 96% in January to 59% architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

11

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest. Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. whitepaper employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If % is current and is able to be restored. It BACKUP 81 report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received KnowBe4 study, June 2014 were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. TRAINING % more eective,” said the EMA report. 88 The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense 88% consider Security Awareness In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad Training the most eective said they rely on backup to get and download the software. them out of a tight spot. However, protection from ransomware over “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their 81% for backup Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest.

12 Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. whitepaper employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how aordable this is for your organization now, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is visit our website www.knowbe4.com. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest.

13 Generation Four - Here is where cybercrime turned professional. The malware began to hide itself, and Your Money or Your Life Files those behind it became better organized. They were mostly in Eastern European countries, and utilized more mature coders which resulted in much higher quality malware. This is when the rst rootkit avors A Short History Of Ransomware showed up. They were going for larger targets where more money could be stolen. This was also the time where traditional maas got wise to the potential and muscled into the game. Rackets like extortion of online bookmakers started to show their ugly face in Generation Four.

Generation Five - The main event that created the fth and current generation was the formation of an “Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are active underground economy, where stolen goods and illegal services are bought and sold in a ‘ blurring the lines between online and o ine fraud, and giving novice computer users a crash course in professional’ manner, if there is such a thing as honor among thieves. Note that because of this, cybercrime modern-day cybercrime," said Krebs. Symantec reported in their August 2014 Intelligence report that has recently been developing at a much faster rate. All the tools of the trade are now for sale. This has crypto-style ransomware has seen a 700 percent-plus increase. These le-encrypting versions of ransom- opened the ‘industry’ to relatively inexperienced criminals who can learn the trade and get to work quickly. ware began the year comprising 1.2 percent of all ransomware detections, but made up 31 percent at the Some examples of this specialization are: end of August. • Cybercrime has its own social networks with escrow services One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware, • Malware can be licensed and receive tech support and its numerous variants, which encrypts the les on a user’s computer and demands the user pay a • You can rent botnets by the hour, for your own crime spree ransom, usually in Bitcoins, in order to receive the key to decrypt the les. But Cryptolocker is just one • Pay-for-play malware infection services have appeared that quickly create botnets approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To • A lively market for zero-day exploits (unknown software vulnerabilities) has been established guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take eective countermeasures against this evolving threat.

Hacking Generations The problem with this is that it provides unfortunate economies of scale. The advent of Generation Five Let’s begin by taking a look at how cyberattacks have changed over the years. What we are facing increases malware quality, speeds up the criminal ‘supply chain’ and eectively spreads risk among these nowadays is a far cry from when people like Kevin Mitnick were breaking into phone company networks to thieves, meaning it becomes much harder to apprehend the culprits, not to mention jurisdiction problems. see what they could get away with. It is now a multi-billion global activity being run by organized Due to these factors, it is clear that we are in this for the long haul. We need to step up our game, just like cybercrime hiring experienced, professional coders and running e-commerce sites and cloud computing the miscreants have done over the last 10 years. services for criminal activities. For the purposes of this article, however, we will ignore nation-state sponsored targeted actions such as the Stuxnet attack on Iran’s uranium enrichment facilities or the The History Of Ransomware cyberespionage specialists of People’s Liberation Army Unit 61398 operating out of a 12-story building near Shanghai. Now that we’ve sketched out the various hacking generations let’s zero in on ransomware and how it has evolved over time. Generation One -Those were the teenagers in dark, damp cellars writing viruses to gain notoriety, and to show the world they were able to do it – relatively harmless, no more than a pain in the neck to a large 1989: Ransomware can be simply dened as a type of malware that restricts access to a computer system extent. We call them sneaker-net viruses as it usually took a person to walk over from one PC to another until a ransom is paid. First to hit the market was the AIDS Trojan, also known as the PC Cyborg, released with a oppy disk to transfer the virus. way back in 1989. It was written by Harvard-trained evolutionary biologist Joseph L. Popp who sent 20,000 infected diskettes labeled “AIDS Information – Introductory Diskettes” to attendees of the World Health Generation Two -These early day ‘sneaker-net’ viruses were followed by a much more malicious type of Organization’s international AIDS conference. He included a leaet with the diskettes warning that the super-fast spreading worms (we are talking 10 minutes around the globe) like Sasser and NetSky that software would “adversely aect other program applications,” and that “you will owe compensation and started to cause multi-million dollar losses. These were still more or less created to get notoriety, with possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”The students showing o their “elite skills”. AIDS Trojan would count the number of times the computer was booted and once the count reached 90 would hide the directories and encrypt the names of the les on the C: drive. To regain access, the user Generation Three - Here the motive shifted from recognition to remuneration. These guys were in it for would have to send $189 to PC Cyborg Corp. at a post oce box in Panama. easy money. This is where botnets came in: thousands of infected PCs owned and controlled by the cybercriminal that used the botnet to send spam, attack websites, identity theft and other nefarious The AIDS Trojan was Generation One malware and relatively easy to overcome. The Trojan used simple activities. The malware used was more advanced than the code of the ‘pioneers’ but was still easy to nd symmetric cryptography and tools were soon available to decrypt the lenames. But the AIDS Trojan set the and easy to disinfect. scene for what was to come – though it took a little while to move into high gear.

2006:When the professionals entered the picture, they combined ransomware with RSA encryption. In day. According to McAfee, part of this was that anonymous payment services made it much easier to Stealer. According to Avast: “This addition aects more than 110 applications and turns your computer to a 2006, the Archiveus Trojan encrypted everything in the MyDocuments directory and required victims to collect money than the credit card payment systems that were used with the earlier wave of fake AV botnet client. Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 purchase items from an online pharmacy to receive the 30-digit password. In June 2006, the GPcode, an software scams. German banks and depends on geolocation. … The stealer includes 17 main modules like OS credentials, encryption Trojan which initially spread via an email attachment purporting to be a job application, used a FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc. and over 140 660-bit RSA public key. Two years later, a variant (GPcode.AK) used a 1024-bit RSA key. But more importantly, the cybercrime ecosystem had come of age. Key to this was Citadel, a toolkit for submodules.” distributing malware and managing botnets that rst surfaced in January 2012. As the McAfee In the meantime, other types of ransomware circulated that did not involve encryption, but simply locked report stated: Reveton is a good example of the criminal ecosystem that now exists; malware writers license other out users. WinLock displayed pornographic images until the users sent a $10 premium-rate SMS to receive malware writer's apps and integrate them for more prot. Pony is very advanced and can pluck and decrypt the unlocking code. Another ransomware worm imitated the Windows Product Activation notice and gave “An underground ecosystem is already in place to help with services such as pay-per-install on computers encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs. the person an international number to call to input a six-digit code. The call would be rerouted through a that are infected by other malware, such as Citadel, and easy-to-use crime packs are available in the country with high international phone rates, and the person would be kept on hold while the fees underground market. Criminals can buy kits like Lyposit—whose malware pretends to come from a local September 2013: CryptoLocker burst onto the scene racked up. law enforcement agency (based on the computer’s regional settings) and instructs victims to use payment Lockscreens and scareware are bad enough, but cryptographic malware is far worse. At least with a services in a specic country—for just a share of the prot instead of for a xed amount.” lockscreen, someone eventually develops a tool to remove it so one can regain access to their data. With An alternative approach seen in recent years is scareware. Instead of encrypting les or locking people out, encryption, however, the code must be cracked before the les can be decrypted. And, though there are you do something to spook them into making payments. Such scareware, for example, can consist of a Citadel and Lyposit led to the Reveton worm, an attempt to extort money in the form of a fraudulent persistent rumors that the NSA can crack 2048-bit encryption, which it of course denies, it is impossible for notice, appearing to be a Windows alert, which would pop up on the infected machine telling the person criminal ne. The exact “crime” and “law enforcement agency” are tailored to the user’s locality. The crimes anyone without a $10 billion budget. that spyware was detected on their computer and which would might be pirated software or child pornography, for example. The user would be locked out of the infected then entice the person to purchase software to remove the computer and the screen be taken over by a notice informing the user of their crime and instructing them Cryptographic malware burst onto the scene in September 2013 with the arrival of CryptoLocker, spyware. Others report that child pornography or illegally that to unlock their computer they must pay the appropriate ne using a service such as Ukash, Paysafe or essentially a ransomware Trojan. CryptoLocker spread through email attachments and drive-by downloads downloaded movies were found on the computer with a MoneyPak. Some versions also would take over the computer’s webcam and show it on the screen to give from infected websites. It generated a 2048-bit RSA key pair, uploaded it to a command-and-control server, demand that the person pay a fee to avoid prosecution. the appearance that the person is being recorded by the police. and used it to encrypt les with certain le extensions, and delete the originals. It would then threaten to In January 2013, Mark Russinovich, developer of the delete the private key if payment was not received within three days. Payments initially could be received sysinternals Windows management tools noted that since he Reveton rst showed up in Europe countries in early 2012. In the UK, the screen appeared to be coming in the form of Bitcoins or pre-paid cash vouchers. With some versions of CryptoLocker, if the payment rst wrote about scareware in 2006, many of the attacks had from organizations such as the music copyright organization PRS for Music, London’s Metropolitan Police wasn’t received within three days, the user was given a second opportunity to pay a much higher ransom to now moved over into full-blown ransomware. Service or the Police Central e-Crime Unit. In Germany, it was the Bundespolizei; in Norway, the Norsk Politi get their les back. While prices vary over time and with the particular version being used, in Institutt for Cybercrime; and so on. Trend Micro researchers located templates for U.S. and Canadian mid-November 2013 when the going ransom was 2 Bitcoins or about $460, if they missed the original “The examples in my 2006 blog post merely nagged you that versions in May 2012, and by late summer one of them was making the rounds. It appeared to be from the ransom deadline they could pay 10 Bitcoins ($2300) to use a service that connected to the command and your system was infected, but otherwise let you continue to use FBI, demanding a $200 dollar payment via a MoneyPak card. In November, another version came out control servers. After paying for that service, the rst 1024 bytes of an encrypted le would be uploaded to the computer,” says Russinovich. “Today’s scareware prevents pretending to be from the FBI’s Internet Crime Complaint Center (IC3). the server and the server would then search for the associated private key. you from running security and diagnostic software at the minimum, and often prevents you from executing any software Like most malware, Reveton According to Dell SecureWorks, “The earliest CryptoLocker samples appear to have been released on the at all.” continues to evolve. In July 2013, Internet on September 5, 2013. Details about this initial distribution phase are unclear, but it appears the the IC3 announced a version for samples were downloaded from a compromised website located in the United States.”Versions were also Techniques include blocking the execution of other programs by OSX that ran in Safari and distributed to business professionals in the form of email attachments that were made to look like simply watching for the appearance of new windows and demanded a $300 ne. This time it customer complaints. Payments could be made by CashU, Ukash, Paysafecard, MoneyPak or Bitcoin. Prices forcibly terminating the owning process, hiding any windows not belonging to the malware, creating a didn’t lock the computer or were initially set at $100, €100, £100, two Bitcoins or other gures for various currencies. But over the next new desktop, creating a full-screen window and constantly raising the window to the top of the window encrypt the les, but just opened a few months the cash price was raised to $300 while, with the rapid price ination of Bitcoins, it was order. Other than the rst which actually kills the processes, these techniques allow the user’s processes to large number of iframes (browser lowered to 0.3 Bitcoins. continue running, but mask them so they are inaccessible. windows) that the user would have to close. In July 2013, a December 2013: 250,000 machines infected version purporting to be from the Department of Homeland Security locked computers and demanded a In December 2013, Dell SecureWorks reported that about 250,000 machines had been infected. ZDNet $300 ne. In August 2013, Christopher Boyd, Senior Threat Researcher for ThreatTrack Security found a researched four Bitcoin accounts associated with CryptoLocker and found that 41,928 Bitcoins had been version masquerading as fake security software known as Live Security Professional. moved through those four accounts between October 15 and December 18. Given the then current price of $661, that would represent more than $27 million in payments received, not counting all the other 2012: The rst large scale ransomware outbreak It is important to note that just because a person pays to unlock the computer, it doesn’t mean that the payment methods. By mid-2011, ransomware had moved into the big time. According to McAfee’s Quarterly Threats Report, malware is gone. Once the ransom is paid, the Citadel software continues to operate and the computer can there were about 30,000 new ransomware samples detected in each of the rst two quarters of 2011. Then still be used to commit bank or credit card fraud. Reveton, for instance, included the Papras family of CryptoLocker was spread and controlled through the Gameover ZeuS botnet which had been capturing during the third quarter, the number doubled, and it surpassed 100,000 in the rst quarter of 2012. malware, which includes password stealers and which can also disable security software. In August 2014, online banking information since 2011. June, 2014, a multi-national team composed of government Amazingly, it doubled again by the third quarter to more than 200,000 samples, or more than 2,000 per Avast Software reported that Reveton had added a new, more powerful password stealer called Pony agencies (U.S., Australia, Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada,

Ukraine and UK) and private companies, primarily Dell SecureWorks and CloudStrike, managed to disable RSA-1024. However, the infection methods were the same and the screen image very close to the original Dierent Ransomware Families the Gameover ZeuS Botnet. The U.S. Department of Justice also issued an indictment against Evgeniy CryptoDefense arrived in February 2014. It used Tor and Bitcoin for anonymity and 2048-bit encryption. Ransomware breaks down into several dierent malware families. Bogachev who operated the botnet from his base on the Black Sea. However, you will notice that Russia is However, because it used Windows’ built-in encryption APIs, the private key was stored in plain text on the not listed as one of the participating governments, and given the current geopolitical situation it is unlikely infected computer. Despite this aw, the hackers still managed to earn at least $34,000 in the rst month, WinLock/Police Ransomware–Police Ransomware is software, like Reveton, that displays a message that he will ever show up in court. according to Symantec. that the user is being pursued by the police because they broke the law by viewing pornography, or downloaded or shared intellectual property. The malware takes over the computer, locking out the user and August 2014, security rms FireEye of Milpitas, California and Fox-IT of Delft, The Netherlands announced SynoLocker appeared in August 2014. Unlike the others which targeted end-user devices, this one was displaying a screen giving the message from the “police.”This software started out in Eastern Europe, that they had jointly developed a program that may be able to decrypt les that were encrypted by the designed for Synology network attached storage devices. And unlike most encryption ransomware, perhaps preying on citizens’ understandable distrust and fear of the police forces after half a century of original CryptoLocker botnet. The program, DecryptCryptoLocker (https://www.decryptcryptolocker.com/) SynoLocker encrypts the les one by one. Payment was 0.6 Bitcoins and the user has to go to an address on dealing with Communist secret police organizations. Starting in 2012, however, these infections began is free to anyone who still has those encrypted les, but it is unlikely to work on any machines infected the Tor network to unlock the les. spreading worldwide. after the original network was brought down in late May since later infections are likely to use dierent encryption keys. CTB-Locker (Curve-Tor-Bitcoin Locker) - Also known as Critoni.A. This was discovered midsummer 2014 One factor that is unique about this type of software is that it must be tailored to the local area. While other and Fedor Sinitisyn, a security researcher for Kapersky. Early versions only had an English language GUI, but types of malware can butcher the grammar, non-idiomatic language in a police ransomware attack will CryptoLocker Copycats then Russian was added. The rst infections were mainly in Russia, so the developers were likely from an signal that it is not from the agency it purports to be from. Enigma Software lists three common Police eastern European country, not Russia, because the Russian security services immediately arrest and shut Ransomware families. It is a myth that Arpanet, the predecessor to the internet, was designed to survive a nuclear attack. But it is down any Russians hacking others in their own country. true that the internet is highly resilient and will reroute packets whenever any particular node goes down. The same applies to criminal networks. CryptorBit surfaced in December 2013. Unlike CrytoLocker and CryptoDefense which only target specic le extensions, CryptorBit corrupts the rst 212 or 1024 bytes of any data le it nds. It also seems to be able to As Tyler Mot of Webroot put it: “While seizing the majority of the GameOver Zeus Botnets from the bypass Group Policy settings put in place to defend against this type of ransomware infection. The cyber suspected “mastermind” Evgeniy Bogachev was a big impact to the number of computers infected with gang uses social engineering to get the end-user to install the ransomware using such devices as a GameOver Zeus – about a 31 percent decrease, it’s a very bold claim to state that Cryptolocker has been fake ash update or a rogue antivirus product. Then, once the les are encrypted, the user is asked ‘neutralized’. … Most malware authors spread their samples through botnets that they either accumulated to install the Tor Browser, enter their address and follow the instructions to make the ransom themselves (Bogachev), or just rent time on a botnet from someone like Bogachev (most common). So now payment – up to $500 in Bitcoin. The software also installs cryptocoin mining software that uses that Bogachev’s servers are seized, malware authors are just going to rent from some of the many other the victim’s computer to mine digital coins such as Bitcoin and deposit them in the malware botnets out there that are still for lease.” developer’s digital wallet.

The original Gameover ZeuS/CryptoLocker network was taken down late May 2014, but resurfaced by July CryptoWall – April 2014, the cyber criminals behind CryptoDefense release an 2014. In fact, you didn’t even have to wait for that network to be rebuilt since copycats had already hit the improved version called CryptoWall. While largely similar to the earlier edition, Net. While they generally have a similar overall operating pattern of encryption and extortion, they come CryptoWall doesn’t store the encryption key where the user can get to it. In from dierent sets of hackers and each has their own unique characteristics. addition, while CryptoDefense required the user to open an infected attach- ment, CryptoWall uses a Java vulnerability. Malicious advertisements on "All of these work in almost exactly the same way as the infamous traditional cryptolocker we’ve all seen, domains belonging to Disney, Facebook, The Guardian newspaper and many but they have some improvements,” says Mot. “First is that there is no GUI and instead just background others led people to sites that were CryptoWall infected and encrypted their drives. According to an August changes and texts instructions in every directory that was encrypted. Second is that you no longer pay 27 report from Dell SecureWorks Counter Threat Unit (CTU): “CTU researchers consider CryptoWall to be the using a MoneyPak key in the GUI, but instead you have to install Tor or another layered encryption browser largest and most destructive ransomware threat on the Internet as of this publication, and they expect this to pay them securely and directly. This allows malware authors to skip money mules and increase the threat to continue growing.” More than 600,000 systems were infected between mid-March and August 24, percent of prots.” The Gimemo family appeared in 2010 and infected computer systems in Russia. The earliest variants with 5.25 billion les being encrypted. 1,683 victims (0.27%) paid a total $1,101,900 in ransom. Nearly 2/3 demanded payment through text messaging before switching to PaySafeCard and Ukash. The Gimemo paid $500, but the amounts ranged from $200 to $10,000. Here are some of the variations we have seen so far: family frequently sends messages from copyright enforcement agencies such as the United Kingdom's PRS Locker – This was apparently the rst copycat software, initially noted in early December 2013. It cost or France's SACEM. A US variant, FBI MoneyPak claims the person viewed child pornography and demand a TorrentLocker – According to iSight Partners, TorrentLocker “is a new strain of ransomware that uses $100 ne be sent via MoneyPak. users $150 to get the key, with money being sent to a Perfect Money or QIWI Visa Virtual Card number. But components of CryptoLocker and CryptoWall but with completely dierent code from these other two apparently the code was poorly designed: security rm IntelCrawler said it found a way to decrypt the les ransomware families.” It spreads through spam and uses the Rijndael algorithm for le encryption rather without paying ransom. • The Reveton family of malware is covered earlier in this paper also includes the variants Matsnu than RSA-2048. Ransom is paid by purchasing Bitcoins from specic Australian Bitcoin websites. and Rannoh. Cryptoblocker – July 2014 Trend Micro reported a new ransomware that doesn’t encrypt les that are larger CryptoLocker 2.0 –This version was also on the market by mid-December. Despite the name similarity, than 100MB and will skip anything in the C:\Windows, C:\Program Files and C:\Program Files (x86) folders. • Urausy Police Ransomware Trojans are some of the most recent entries in these attacks and are CryptoLocker 2.0 was written using C# while the original was in C++ so it was likely done by a dierent It uses AES rather than RSA encryption. programming team. Among other dierences, 2.0 would only accept Bitcoins, and it would encrypt image, responsible for Police Ransomware scams that have spread throughout North and South America music and video les which the original skipped. And, while it claimed to use RSA-4096, it actually used since April of 2012.

SMS Ransomware: This a variation on the usual type of type of lockout ransomware in terms of the • Find My Phone – In May 2014, iDevice users in Australia and the U.S. started nding a lock 3) Criminal RaaS (Ransomware-as-a-Service) subscriptions will become more widely available, where payment method. The screen will display a code with instructions to send that code via text message to screen on their iPhones and iPads saying that it had been locked by “Oleg Pliss” and requiring would-be cyber criminals can buy all the required elements needed for an attack. These RaaS subscriptions premium-rate SMS number. The user then receives an SMS message giving the unlock code. payment of $50 to $100 to unlock. It is unknown how many people were aected, but in June the comprise a range of elements including potential victim email lists, phishing templates that use successful File Encryptors: These are ransomware which encrypt all or some of the les on the disk, while leaving the Russian police arrested two people responsible and reported how they operated. This didn’t social engineering ploys, bulletproof email servers (or botnets) to send the attacks, the malware that applications in place. The screen will show display a ransom note with payment instructions and may or involve installing any malware, but was simply a straight up con using people’s naiveté and includes encryption / decryption features, and last but not least, the nancial infrastructure that allows may not lock the screen. The most prominent example is CryptoLocker and its variants, discussed above. features built into iOS. First people were scammed into signing up for a fake video service that victims to pay. Once payment in is made, the code is sent to decrypt the les. required entering their Apple ID. Once they had the Apple ID, the hackers would create iCloud accounts using those ID’s and use the Find My Phone feature, which includes the ability to lock a The vast majority of these attacks will be launched from countries that do not have legislation (or MBR Ransomware: The Master Boot Record (MBR) is the partition of the hard drive that contains the data stolen phone, to lock the owners out of their own devices. insucient enforcement) to stop this kind of attack vector, with the result that U.S. law enforcement will that allows the system to boot up. MBR ransomware changes the computer’s MBR so that, when the continue to be severely challenged to do something eective about it and will be forced to continue the computer is turned on, the ransom message is displayed and the computer will not boot. The message may The Future Of Ransomware whack-a-mole game i.e., like the popular arcade game, the targets keep ducking out of the way before detection only to pop up almost immediately somewhere else. say that the les have been encrypted although they are not. Since the computer won’t load the operating Starting September 2013, ransomware has become much more vicious and has inspired several copycats. system, the user can’t run tools to remove the infection and repair the system. At the time of this writing, summer 2014, the very rst strains of second-generation ransomware have 4) Infection vectors will continue to be more creative and hard to defend been identied. Mobile Ransomware: Most ransomware targets desktop/laptops, but there are also hacks designed for against. At the moment, links to cloud storage are being used as a social mobile devices. These include: engineering trick so people are tempted to open up zip les. But it is likely that The reasons that these strains being called second generation are drive-by ransomware infections will be the norm. Visiting a legit website that as follows: • Koler.a: Launched in April, this police ransom Trojan infected around 200,000 Android users, ¾ in has been compromised and clicking on a link will be enough to encrypt the les on the workstation and/or the le server. the US, who were searching for porn and wound up downloading the software. Since Android 1) They use the TOR network for their Command & Control (C&C) servers requires permission to install any software, it is unknown how many people actually installed it which makes them much harder to shut down. after download. Users were required to pay $100 - $300 to remove it. On July 23, Kapersky 5) Attacks will technically become far more sophisticated and will be able to reported that Koler had been taken down, but didn’t say by whom. evade normal detection methods like antivirus and sandboxing technologies. 2) Trac between the malware that lives on the infected machine and its "With target audiences so large, nancing mechanisms so convenient, and C&C servers is much harder to intercept. cyber-talent so accessible, robust innovation in criminal technology and tactics will continue its surge forward in 2014," said Vincent Weafer, senior vice 3) Second-gen ransomware uses super strong cryptography which makes president of McAfee Labs in the company’s 2014 Predictions Report. "The decrypting it yourself impossible. emergence and evolution of advanced evasion techniques represents a new enterprise security battlefront, where the hacker’s deep knowledge of 4) They compress les before encrypting them. architectures and common security tactics enable attacks that are very hard to uncover." 5) Second-gen ransomware is built as commercial crimeware, so it can be sold globally to other cybercriminals. It uses Bitcoin ransom amounts that the "customer" can specify and a choice of which les types will be IT Managers Lack An Eective Approach To Ransomware encrypted, so that the criminal can compete and dierentiate themselves. In January 2014, IT Security company Webroot used Spiceworks to survey 300 IT professionals on the threat of ransomware. At that time, 48% said that they were either very or extremely concerned about What does the appearance of second generation ransomware ransomware, and only 2% were not at all concerned. One-third stated that their organization had already mean? And what can be expected in the future? Here are several likely areas of malware experienced a ransomware attack and two-thirds expected the number of attacks to increase in the next evolution that are likely year. (How right they were!) And, while 82% were using some means of protection against ransomware, to appear: less than half (44%) considered their current solution to be even somewhat eective. Given that they • Svpeng:This mobile Trojan targets Android devices. It was discovered by Kapersky in July 2013 couldn’t protect eectively against a ransomware attack, the top strategy for dealing with it was to wipe and originally designed to steal payment card information from Russian bank customers. In early 1) Second-gen ransomware will proliferate. Several large (and competing) Eastern European cyber maas the device (82%) or restore the device from backup les (19%) rather than having a security service 2014, it had evolved into ransomware, locking the phones displaying a message accusing the user will become big players in this eld, followed by dozens of smaller operations spread all over the planet provider try to remove the encryption (22%) or doing it manually (9%). of accessing child pornography. By the summer of 2014, a new version was out targeting U.S. users that buy "pay-and-play" commercial ransomware. and using a fake FBI message and requiring a $200 payment with variants being used in the UK, Given the rapid rise in ransomware, KnowBe4 decided to conduct a similar survey in June of more than 300 Switzerland, India and Russia. According to Jeremy Linden, a senior security product manager for 2) Ransomware will expand beyond the Windows platform onto Apple's devices. Being hit with a ransom Spiceworks users to see how much attitudes had changed. This time, we found that 88% expected Lookout, a San Francisco-based mobile security rm, 900,000 phones were infected in the rst 30 demand to unlock your iMac, iPhone or iPad, although it has already taken place, will be likely to occur with ransomware to increase by the end of the year, and while 72% felt their current solutions were somewhat days. The software also scans for mobile banking apps but was not yet stealing the credentials. greater frequency. Similarly, this will also be the case for the Android OS, which runs on both phones and eective, only 16% thought it was very eective. Nearly half (47%) considered email attachments to be Unless phones already have security software, the option to boot into safe mode and then erase all tablets. The rst waves of Android infections have occurred in 2014. the largest threat, while condence in the eectiveness of email and spam ltering had dropped from 88% the data on the phone, leaving the data on the SIM and SD cards intact. to 64% and condence in endpoint security had fallen from 96% to 59%. Given this lack of condence, it is

not surprising that they cited Security Awareness Training (88%) as the most eective protection against If one is hit and can’t recover the data, it may be best to pay the ransom. But that just gives the criminals Backup Is Not Enough ransomware, followed by backup at 81%. more money for future attacks so it is far better to take steps ahead of time to ensure that one doesn’t So, by all means have backup processes in place, apply the 3-2-1 strategy (three copies of the data, on two become a victim in the rst place. This requires a complete, defense-in-depth strategy. dierent types of media, with one osite) and test the restore function on a regular basis. But a better Russian Cyber Mob Has Picked A Highly Pro table A simple step to start with is making sure that every piece of software is kept up to date. The hackers are approach is to make sure you never get infected in the rst place. This requires Security Awareness Training. Business Model looking for vulnerabilities they can exploit to take over systems. Vendors generally do a good job of Regardless of how well the defense perimeter is designed the bad guys will always nd a way in. Why? patching any aws once they are found, but if the patches are never applied you have left the door wide The study asked what they would do when confronted with a scenario where backups have failed and Employees are the weakest link in any type of IT system. Data recovery rm Kroll Ontrack reports that with open for attacks. weeks of work might be lost, an astounding 57% would begin with paying the $500 ransom and hope for traditional IT systems, human error accounts for 26% of data loss incidents, more than hardware failures or the best. Based on these ndings, it appears the Russian cyber mob has picked a highly protable business power outages. For virtualized systems, the human error rate rises to 65%. Similarly, human error is also One should also ensure that every device that connects to the company’s network is secured. This includes model. While the overwhelming majority of IT pros think the criminals behind ransomware should be the weakest point when it comes to blocking ransomware. employees’ smartphones, tablets, laptops and home computers. Protection should comprise anti-malware whitepaper prosecuted and sent to jail for a long time, U.S. law enforcement has no jurisdiction in Eastern Europe and/or whitelisting software as well as establishing secure policies such as not allowing programs to where these criminals are largely free to commit their crimes. The chances of them being brought to justice Let’s review some of the methods that are used to spread ransomware: auto-install, blocking ports, web ltering, share access restrictions, and encryption of data at rest and in at this time are remote. The Russian government seems to use these cybercriminals as a resource they can ight. The two biggest steps, however, are those that came up in the survey: backup and user training. bring to bear against countries they are in conict with. • Scareware works by tricking unsuspecting people into thinking that their computer is infected. (It Real-time or near-time backup can be an eective countermeasure to minimize the damage caused by is, but by the scareware itself.) ransomware if an infection ever occurs. The infected device can be thoroughly wiped and all applications Surprisingly, while Security Awareness Training was considered the most eective defense against and data can be reloaded. Yes, it will probably take several hours to restore the device to full working order, ransomware, an April 2014 report from Enterprise Management Associates (EMA), Security Awareness • CryptoLocker sent emails with infected attachments masked as resumes to companies that had but at least one is not spending money that criminals can use to nance further attacks. Training: It’s Not Just for Compliance found that 56% of employees, excluding posted job listings on sites like Craigslist. The moment anyone opens these documents, the security and IT sta, had not received any Security Awareness Training from their ransomware kicks in and downtime is the result. Part of the problem is that the people involved But this, or course, assumes that the backup is complete, organizations. The quality of such training also left a lot to be desired. The EMA with hiring are very often those with the most access; the owner, CEO, HR or department heads. If is current and is able to be restored. It report found that out of those who have had some training, it was not done they are duped by the bad guys, the consequences for the entire organization can be dire. would be nice if those three conditions frequently enough to have the desired results. “Employees predominantly received were the norm for backups, but training annually, even though a higher frequency of training has been found to be • The iPhone lockout worked by getting people to disclose their Apple IDs. unfortunately that is far from the case. more eective,” said the EMA report. The fact is that backups consistently fail. David Monahan, EMA Research Director, Security and Risk Management, believes • The Android hack got people to download the software thinking they would be seeing some porn. that training is one of the most important elements in any ransomware defense In surveys, most IT managers strategy. • Many forms of malware use ads on legitimate websites such as Yahoo or YouTube. Click on the ad said they rely on backup to get and download the software. them out of a tight spot. However, “Security awareness training is critical for a solid security program,” said David 57% of them agree that if their Monahan, EMA Research Director, Security and Risk Management. “The organiza- It isn’t enough to include the security information covered in the employee handbook or conduct an annual backup fails, they would be forced to tions that fail to train their people are doing their business, their personnel and the training session, perhaps during lunch break. To be eective, employees must be reminded throughout the pay the ransom. Sadly, too many Internet as a whole a disservice because the training they provide at work aects year of security best practices and must be tested on the job, not in the classroom, to see if they are backups fail for this to be a wise how their employees make security decisions while they are on the Internet at home as well.” applying what they have learned. approach. According to a 2013 report by Given that IT expects that ransomware will increase, that they know Security Awareness Training is the best Symantec, Avoiding the Hidden Costs of defense, and they also know that most employees receive no or ineective Security Awareness Training, it the Cloud, 47% of enterprises lost data in is no surprise why such a high percentage are concerned about ransomware and feel their systems are How Eective Is Security Awareness Training In the cloud and had to restore their ineective. information from backups, 37% of SMBs Combatting Ransomware? have lost data in the cloud and had to Well, we are willing to bet our own money that our methods of training will work. KnowBe4's Kevin Guarding Against Ransomware restore their information from backups and a Mitnick Security Awareness Training comes with a crypto-ransom guarantee. If an employee who has taken our training and received at least one phishing security test per month clicks on a link and infects their Given the rapid spread and potentially high cost of ransomware, it is important to take eective steps to startling 66% of those organizations saw recovery operations fail. workstation, KnowBe4 pays your crypto-ransom. Find out how affordable this is for your organization, guard against this menace. It would be great if one could rely on law enforcement to do the job, but that is contact www.sparktechnologiesinc.com for more info. not a realistic expectation. True, there are occasional high prole successes, like the one against the “Storage media fails regardless of type; it is just a matter of when,” said Je Pederson, manager of data Gameover ZeuS botnet, but that only happened after years of operation and hundreds of millions in losses. recovery operations for Kroll Ontrack. “To avoid such a failure, one should regularly defrag their computer, And Evgeniy Bogachev, his collaborators and his many competitors are still out causing mischief as they check its storage capacity, and run antivirus software as well as hard drive monitoring software. Beyond were before. good health practices, businesses and home users should have working redundancies, such as a backup device or service in place, and a continuity plan that is current and accessible in the event of a loss.” Drew Robb is a freelance writer living In Florida specializing in IT and engineering. Originally from Scotland, he is the author of the book Server Disk Management in Windows Environments (CRC Press) as well as hundreds of articles in magazines such as Computerworld, information week and writers digest.

14

Top View